vendor: update buildkit to f5a55a95

Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>

builder/builder-next/worker/worker.go

@@ -7,6 +7,7 @@ import (
 	"io/ioutil"
 	nethttp "net/http"
 	"runtime"
+	"strings"
 	"time"
 
 	"github.com/containerd/containerd/content"
@@ -43,6 +44,7 @@ import (
 	ocispec "github.com/opencontainers/image-spec/specs-go/v1"
 	"github.com/pkg/errors"
 	"github.com/sirupsen/logrus"
+	bolt "go.etcd.io/bbolt"
 )
 
 const labelCreatedAt = "buildkit/createdat"
@@ -257,6 +259,47 @@ func (w *Worker) GetRemote(ctx context.Context, ref cache.ImmutableRef, createIf
 	}, nil
 }
 
+// PruneCacheMounts removes the current cache snapshots for specified IDs
+func (w *Worker) PruneCacheMounts(ctx context.Context, ids []string) error {
+	mu := ops.CacheMountsLocker()
+	mu.Lock()
+	defer mu.Unlock()
+
+	for _, id := range ids {
+		id = "cache-dir:" + id
+		sis, err := w.MetadataStore.Search(id)
+		if err != nil {
+			return err
+		}
+		for _, si := range sis {
+			for _, k := range si.Indexes() {
+				if k == id || strings.HasPrefix(k, id+":") {
+					if siCached := w.CacheManager.Metadata(si.ID()); siCached != nil {
+						si = siCached
+					}
+					if err := cache.CachePolicyDefault(si); err != nil {
+						return err
+					}
+					si.Queue(func(b *bolt.Bucket) error {
+						return si.SetValue(b, k, nil)
+					})
+					if err := si.Commit(); err != nil {
+						return err
+					}
+					// if ref is unused try to clean it up right away by releasing it
+					if mref, err := w.CacheManager.GetMutable(ctx, si.ID()); err == nil {
+						go mref.Release(context.TODO())
+					}
+					break
+				}
+			}
+		}
+	}
+
+	ops.ClearActiveCacheMounts()
+	return nil
+}
+
 // FromRemote converts a remote snapshot reference to a local one
 func (w *Worker) FromRemote(ctx context.Context, remote *solver.Remote) (cache.ImmutableRef, error) {
 	rootfs, err := getLayers(ctx, remote.Descriptors)

vendor.conf

@@ -27,7 +27,7 @@ github.com/imdario/mergo                            7c29201646fa3de8506f70121347
 golang.org/x/sync                                   e225da77a7e68af35c70ccbf71af2b83e6acac3c
 
 # buildkit
-github.com/moby/buildkit                            a258bd18b2c55aac4e8a10a3074757d66d45cef6
+github.com/moby/buildkit                            f5a55a9516d1c6e2ade9bec22b83259caeed3a84 
 github.com/tonistiigi/fsutil                        3bbb99cdbd76619ab717299830c60f6f2a533a6b
 github.com/grpc-ecosystem/grpc-opentracing          8e809c8a86450a29b90dcc9efbf062d0fe6d9746
 github.com/opentracing/opentracing-go               1361b9cd60be79c4c3a7fa9841b3c132e40066a7

vendor/github.com/moby/buildkit/README.md

@@ -1,16 +1,15 @@
 [![asciicinema example](https://asciinema.org/a/gPEIEo1NzmDTUu2bEPsUboqmU.png)](https://asciinema.org/a/gPEIEo1NzmDTUu2bEPsUboqmU)
 
-
 ## BuildKit
 
 [![GoDoc](https://godoc.org/github.com/moby/buildkit?status.svg)](https://godoc.org/github.com/moby/buildkit/client/llb)
 [![Build Status](https://travis-ci.org/moby/buildkit.svg?branch=master)](https://travis-ci.org/moby/buildkit)
 [![Go Report Card](https://goreportcard.com/badge/github.com/moby/buildkit)](https://goreportcard.com/report/github.com/moby/buildkit)
 
-
 BuildKit is a toolkit for converting source code to build artifacts in an efficient, expressive and repeatable manner.
 
 Key features:
+
 -   Automatic garbage collection
 -   Extendable frontend formats
 -   Concurrent dependency resolution
@@ -22,7 +21,6 @@ Key features:
 -   Pluggable architecture
 -   Execution without root privileges
 
-
 Read the proposal from https://github.com/moby/moby/issues/32925
 
 Introductory blog post https://blog.mobyproject.org/introducing-buildkit-17e056cc5317
@@ -38,16 +36,17 @@ BuildKit is used by the following projects:
 -   [OpenFaaS Cloud](https://github.com/openfaas/openfaas-cloud)
 -   [container build interface](https://github.com/containerbuilding/cbi)
 -   [Knative Build Templates](https://github.com/knative/build-templates)
+-   [the Sanic build tool](https://github.com/distributed-containers-inc/sanic)
 -   [vab](https://github.com/stellarproject/vab)
 -   [Rio](https://github.com/rancher/rio) (on roadmap)
 
 ### Quick start
 
 Dependencies:
+
 -   [runc](https://github.com/opencontainers/runc)
 -   [containerd](https://github.com/containerd/containerd) (if you want to use containerd worker)
 
-
 The following command installs `buildkitd` and `buildctl` to `/usr/local/bin`:
 
 ```bash
@@ -58,14 +57,13 @@ You can also use `make binaries-all` to prepare `buildkitd.containerd_only` and
 
 #### Starting the buildkitd daemon:
 
-```
+```bash
 buildkitd --debug --root /var/lib/buildkit
 ```
 
 The buildkitd daemon supports two worker backends: OCI (runc) and containerd.
 
-By default, the OCI (runc) worker is used.
+By default, the OCI (runc) worker is used. You can set `--oci-worker=false --containerd-worker=true` to use the containerd worker.
-You can set `--oci-worker=false --containerd-worker=true` to use the containerd worker.
 
 We are open to adding more backends.
 
@@ -91,13 +89,16 @@ For understanding the basics of LLB, `examples/buildkit*` directory contains scr
 You can use `buildctl debug dump-llb` to see what data is in this definition. Add `--dot` to generate dot layout.
 
 ```bash
-go run examples/buildkit0/buildkit.go | buildctl debug dump-llb | jq .
+go run examples/buildkit0/buildkit.go \
+    | buildctl debug dump-llb \
+    | jq .
 ```
 
 To start building use `buildctl build` command. The example script accepts `--with-containerd` flag to choose if containerd binaries and support should be included in the end result as well.
 
 ```bash
-go run examples/buildkit0/buildkit.go | buildctl build
+go run examples/buildkit0/buildkit.go \
+    | buildctl build
 ```
 
 `buildctl build` will show interactive progress bar by default while the build job is running. If the path to the trace file is specified, the trace file generated will contain all information about the timing of the individual steps and logs.
@@ -111,7 +112,6 @@ Different versions of the example scripts show different ways of describing the
 -   `./examples/dockerfile2llb` - can be used to convert a Dockerfile to LLB for debugging purposes
 -   `./examples/gobuild` - shows how to use nested invocation to generate LLB for Go package internal dependencies
 
-
 #### Exploring Dockerfiles
 
 Frontends are components that run inside BuildKit and convert any build definition to LLB. There is a special frontend called gateway (gateway.v0) that allows using any image as a frontend.
@@ -120,9 +120,18 @@ During development, Dockerfile frontend (dockerfile.v0) is also part of the Buil
 
 ##### Building a Dockerfile with `buildctl`
 
-```
+```bash
-buildctl build --frontend=dockerfile.v0 --local context=. --local dockerfile=.
+buildctl build \
-buildctl build --frontend=dockerfile.v0 --local context=. --local dockerfile=. --opt target=foo --opt build-arg:foo=bar
+    --frontend=dockerfile.v0 \
+    --local context=. \
+    --local dockerfile=.
+# or
+buildctl build \
+    --frontend=dockerfile.v0 \
+    --local context=. \
+    --local dockerfile=. \
+    --opt target=foo \
+    --opt build-arg:foo=bar
 ```
 
 `--local` exposes local source files from client to the builder. `context` and `dockerfile` are the names Dockerfile frontend looks for build context and Dockerfile location.
@@ -131,8 +140,9 @@ buildctl build --frontend=dockerfile.v0 --local context=. --local dockerfile=. -
 
 For people familiar with `docker build` command, there is an example wrapper utility in `./examples/build-using-dockerfile` that allows building Dockerfiles with BuildKit using a syntax similar to `docker build`.
 
-```
+```bash
-go build ./examples/build-using-dockerfile && sudo install build-using-dockerfile /usr/local/bin
+go build ./examples/build-using-dockerfile \
+    && sudo install build-using-dockerfile /usr/local/bin
 
 build-using-dockerfile -t myimage .
 build-using-dockerfile -t mybuildkit -f ./hack/dockerfiles/test.Dockerfile .
@@ -145,10 +155,18 @@ docker inspect myimage
 
 External versions of the Dockerfile frontend are pushed to https://hub.docker.com/r/docker/dockerfile-upstream and https://hub.docker.com/r/docker/dockerfile and can be used with the gateway frontend. The source for the external frontend is currently located in `./frontend/dockerfile/cmd/dockerfile-frontend` but will move out of this repository in the future ([#163](https://github.com/moby/buildkit/issues/163)). For automatic build from master branch of this repository `docker/dockerfile-upsteam:master` or `docker/dockerfile-upstream:master-experimental` image can be used.
 
+```bash
+buildctl build \
+    --frontend gateway.v0 \
+    --opt source=docker/dockerfile \
+    --local context=. \
+    --local dockerfile=.
+buildctl build \
+    --frontend gateway.v0 \
+    --opt source=docker/dockerfile \
+    --opt context=git://github.com/moby/moby \
+    --opt build-arg:APT_MIRROR=cdn-fastly.deb.debian.org
 ```
-buildctl build --frontend gateway.v0 --opt source=docker/dockerfile --local context=. --local dockerfile=.
-buildctl build --frontend gateway.v0 --opt source=docker/dockerfile --opt context=git://github.com/moby/moby --opt build-arg:APT_MIRROR=cdn-fastly.deb.debian.org
-````
 
 ##### Building a Dockerfile with experimental features like `RUN --mount=type=(bind|cache|tmpfs|secret|ssh)`
 
@@ -162,29 +180,29 @@ By default, the build result and intermediate cache will only remain internally
 
 The containerd worker needs to be used
 
-```
+```bash
 buildctl build ... --output type=image,name=docker.io/username/image
 ctr --namespace=buildkit images ls
 ```
 
 ##### Push resulting image to registry
 
-```
+```bash
 buildctl build ... --output type=image,name=docker.io/username/image,push=true
 ```
 
 If credentials are required, `buildctl` will attempt to read Docker configuration file.
 
-
 ##### Exporting build result back to client
 
 The local client will copy the files directly to the client. This is useful if BuildKit is being used for building something else than container images.
 
-```
+```bash
 buildctl build ... --output type=local,dest=path/to/output-dir
 ```
 
 To export specific files use multi-stage builds with a scratch stage and copy the needed files into that stage with `COPY --from`.
+
 ```dockerfile
 ...
 FROM scratch as testresult
@@ -193,28 +211,27 @@ COPY --from=builder /usr/src/app/testresult.xml .
 ...
 ```
 
-```
+```bash
 buildctl build ... --opt target=testresult --output type=local,dest=path/to/output-dir
 ```
 
 Tar exporter is similar to local exporter but transfers the files through a tarball.
 
-```
+```bash
 buildctl build ... --output type=tar,dest=out.tar
 buildctl build ... --output type=tar > out.tar
 ```
 
-
 ##### Exporting built image to Docker
 
-```
+```bash
 # exported tarball is also compatible with OCI spec
 buildctl build ... --output type=docker,name=myimage | docker load
 ```
 
 ##### Exporting [OCI Image Format](https://github.com/opencontainers/image-spec) tarball to client
 
-```
+```bash
 buildctl build ... --output type=oci,dest=path/to/output.tar
 buildctl build ... --output type=oci > output.tar
 ```
@@ -223,14 +240,14 @@ buildctl build ... --output type=oci > output.tar
 
 #### To/From registry
 
-```
+```bash
 buildctl build ... --export-cache type=registry,ref=localhost:5000/myrepo:buildcache
 buildctl build ... --import-cache type=registry,ref=localhost:5000/myrepo:buildcache
 ```
 
 #### To/From local filesystem
 
-```
+```bash
 buildctl build ... --export-cache type=local,dest=path/to/output-dir
 buildctl build ... --import-cache type=local,src=path/to/input-dir
 ```
@@ -238,27 +255,29 @@ buildctl build ... --import-cache type=local,src=path/to/input-dir
 The directory layout conforms to OCI Image Spec v1.0.
 
 #### `--export-cache` options
-* `mode=min` (default): only export layers for the resulting image
+
-* `mode=max`: export all the layers of all intermediate steps
+-   `mode=min` (default): only export layers for the resulting image
-* `ref=docker.io/user/image:tag`: reference for `registry` cache exporter
+-   `mode=max`: export all the layers of all intermediate steps
-* `dest=path/to/output-dir`: directory for `local` cache exporter
+-   `ref=docker.io/user/image:tag`: reference for `registry` cache exporter
+-   `dest=path/to/output-dir`: directory for `local` cache exporter
 
 #### `--import-cache` options
-* `ref=docker.io/user/image:tag`: reference for `registry` cache importer
+
-* `src=path/to/input-dir`: directory for `local` cache importer
+-   `ref=docker.io/user/image:tag`: reference for `registry` cache importer
-* `digest=sha256:deadbeef`: digest of the manifest list to import for `local` cache importer. Defaults to the digest of "latest" tag in `index.json`
+-   `src=path/to/input-dir`: directory for `local` cache importer
+-   `digest=sha256:deadbeef`: digest of the manifest list to import for `local` cache importer. Defaults to the digest of "latest" tag in `index.json`
 
 ### Other
 
 #### View build cache
 
-```
+```bash
 buildctl du -v
 ```
 
 #### Show enabled workers
 
-```
+```bash
 buildctl debug workers -v
 ```
 
@@ -268,14 +287,14 @@ BuildKit can also be used by running the `buildkitd` daemon inside a Docker cont
 
 We provide `buildkitd` container images as [`moby/buildkit`](https://hub.docker.com/r/moby/buildkit/tags/):
 
-* `moby/buildkit:latest`: built from the latest regular [release](https://github.com/moby/buildkit/releases)
+-   `moby/buildkit:latest`: built from the latest regular [release](https://github.com/moby/buildkit/releases)
-* `moby/buildkit:rootless`: same as `latest` but runs as an unprivileged user, see [`docs/rootless.md`](docs/rootless.md)
+-   `moby/buildkit:rootless`: same as `latest` but runs as an unprivileged user, see [`docs/rootless.md`](docs/rootless.md)
-* `moby/buildkit:master`: built from the master branch
+-   `moby/buildkit:master`: built from the master branch
-* `moby/buildkit:master-rootless`: same as master but runs as an unprivileged user, see [`docs/rootless.md`](docs/rootless.md)
+-   `moby/buildkit:master-rootless`: same as master but runs as an unprivileged user, see [`docs/rootless.md`](docs/rootless.md)
 
 To run daemon in a container:
 
-```
+```bash
 docker run -d --privileged -p 1234:1234 moby/buildkit:latest --addr tcp://0.0.0.0:1234
 export BUILDKIT_HOST=tcp://0.0.0.0:1234
 buildctl build --help
@@ -283,26 +302,50 @@ buildctl build --help
 
 To run client and an ephemeral daemon in a single container ("daemonless mode"):
 
-```
+```bash
-docker run -it --rm --privileged -v /path/to/dir:/tmp/work --entrypoint buildctl-daemonless.sh moby/buildkit:master build --frontend dockerfile.v0 --local context=/tmp/work --local dockerfile=/tmp/work
+docker run \
-```
+    -it \
-or
+    --rm \
-```
+    --privileged \
-docker run -it --rm --security-opt seccomp=unconfined --security-opt apparmor=unconfined -e BUILDKITD_FLAGS=--oci-worker-no-process-sandbox -v /path/to/dir:/tmp/work --entrypoint buildctl-daemonless.sh moby/buildkit:master-rootless build --frontend dockerfile.v0 --local context=/tmp/work --local dockerfile=/tmp/work
+    -v /path/to/dir:/tmp/work \
+    --entrypoint buildctl-daemonless.sh \
+    moby/buildkit:master \
+        build \
+        --frontend dockerfile.v0 \
+        --local context=/tmp/work \
+        --local dockerfile=/tmp/work
 ```
 
-The images can be also built locally using `./hack/dockerfiles/test.Dockerfile` (or `./hack/dockerfiles/test.buildkit.Dockerfile` if you already have BuildKit).
+or
-Run `make images` to build the images as `moby/buildkit:local` and `moby/buildkit:local-rootless`.
+
+```bash
+docker run \
+    -it \
+    --rm \
+    --security-opt seccomp=unconfined \
+    --security-opt apparmor=unconfined \
+    -e BUILDKITD_FLAGS=--oci-worker-no-process-sandbox \
+    -v /path/to/dir:/tmp/work \
+    --entrypoint buildctl-daemonless.sh \
+    moby/buildkit:master-rootless \
+        build \
+        --frontend \
+        dockerfile.v0 \
+        --local context=/tmp/work \
+        --local dockerfile=/tmp/work
+```
+
+The images can be also built locally using `./hack/dockerfiles/test.Dockerfile` (or `./hack/dockerfiles/test.buildkit.Dockerfile` if you already have BuildKit). Run `make images` to build the images as `moby/buildkit:local` and `moby/buildkit:local-rootless`.
 
 #### Connection helpers
 
 If you are running `moby/buildkit:master` or `moby/buildkit:master-rootless` as a Docker/Kubernetes container, you can use special `BUILDKIT_HOST` URL for connecting to the BuildKit daemon in the container:
 
-```
+```bash
 export BUILDKIT_HOST=docker-container://<container>
 ```
 
-```
+```bash
 export BUILDKIT_HOST=kube-pod://<pod>
 ```
 
@@ -310,15 +353,13 @@ export BUILDKIT_HOST=kube-pod://<pod>
 
 BuildKit supports opentracing for buildkitd gRPC API and buildctl commands. To capture the trace to [Jaeger](https://github.com/jaegertracing/jaeger), set `JAEGER_TRACE` environment variable to the collection address.
 
-
+```bash
-```
 docker run -d -p6831:6831/udp -p16686:16686 jaegertracing/all-in-one:latest
 export JAEGER_TRACE=0.0.0.0:6831
 # restart buildkitd and buildctl so they know JAEGER_TRACE
 # any buildctl command should be traced to http://127.0.0.1:16686/
 ```
 
-
 ### Supported runc version
 
 During development, BuildKit is tested with the version of runc that is being used by the containerd repository. Please refer to [runc.md](https://github.com/containerd/containerd/blob/v1.2.1/RUNC.md) for more information.
@@ -329,5 +370,4 @@ Please refer to [`docs/rootless.md`](docs/rootless.md).
 
 ### Contributing
 
-Want to contribute to BuildKit? Awesome! You can find information about
+Want to contribute to BuildKit? Awesome! You can find information about contributing to this project in the [CONTRIBUTING.md](/.github/CONTRIBUTING.md)
-contributing to this project in the [CONTRIBUTING.md](/.github/CONTRIBUTING.md)

vendor/github.com/moby/buildkit/cache/manager.go

@@ -36,6 +36,7 @@ type Accessor interface {
 	New(ctx context.Context, s ImmutableRef, opts ...RefOption) (MutableRef, error)
 	GetMutable(ctx context.Context, id string) (MutableRef, error) // Rebase?
 	IdentityMapping() *idtools.IdentityMapping
+	Metadata(string) *metadata.StorageItem
 }
 
 type Controller interface {
@@ -124,6 +125,16 @@ func (cm *cacheManager) GetFromSnapshotter(ctx context.Context, id string, opts
 	return cm.get(ctx, id, true, opts...)
 }
 
+func (cm *cacheManager) Metadata(id string) *metadata.StorageItem {
+	cm.mu.Lock()
+	defer cm.mu.Unlock()
+	r, ok := cm.records[id]
+	if !ok {
+		return nil
+	}
+	return r.Metadata()
+}
+
 // get requires manager lock to be taken
 func (cm *cacheManager) get(ctx context.Context, id string, fromSnapshotter bool, opts ...RefOption) (*immutableRef, error) {
 	rec, err := cm.getRecord(ctx, id, fromSnapshotter, opts...)

vendor/github.com/moby/buildkit/cache/metadata/metadata.go

@@ -250,6 +250,10 @@ func (s *StorageItem) Update(fn func(b *bolt.Bucket) error) error {
 	return s.storage.Update(s.id, fn)
 }
 
+func (s *StorageItem) Metadata() *StorageItem {
+	return s
+}
+
 func (s *StorageItem) Keys() []string {
 	keys := make([]string, 0, len(s.values))
 	for k := range s.values {
@@ -333,6 +337,15 @@ func (s *StorageItem) Indexes() (out []string) {
 
 func (s *StorageItem) SetValue(b *bolt.Bucket, key string, v *Value) error {
 	if v == nil {
+		if old, ok := s.values[key]; ok {
+			if old.Index != "" {
+				b, err := b.Tx().CreateBucketIfNotExists([]byte(indexBucket))
+				if err != nil {
+					return errors.WithStack(err)
+				}
+				b.Delete([]byte(indexKey(old.Index, s.ID()))) // ignore error
+			}
+		}
 		if err := b.Put([]byte(key), nil); err != nil {
 			return err
 		}

vendor/github.com/moby/buildkit/cache/refs.go

@@ -2,6 +2,7 @@ package cache
 
 import (
 	"context"
+	"strings"
 	"sync"
 
 	"github.com/containerd/containerd/mount"
@@ -429,6 +430,10 @@ func (m *readOnlyMounter) Mount() ([]mount.Mount, error) {
 		return nil, err
 	}
 	for i, m := range mounts {
+		if m.Type == "overlay" {
+			mounts[i].Options = readonlyOverlay(m.Options)
+			continue
+		}
 		opts := make([]string, 0, len(m.Options))
 		for _, opt := range m.Options {
 			if opt != "rw" {
@@ -440,3 +445,23 @@ func (m *readOnlyMounter) Mount() ([]mount.Mount, error) {
 	}
 	return mounts, nil
 }
+
+func readonlyOverlay(opt []string) []string {
+	out := make([]string, 0, len(opt))
+	upper := ""
+	for _, o := range opt {
+		if strings.HasPrefix(o, "upperdir=") {
+			upper = strings.TrimPrefix(o, "upperdir=")
+		} else if !strings.HasPrefix(o, "workdir=") {
+			out = append(out, o)
+		}
+	}
+	if upper != "" {
+		for i, o := range out {
+			if strings.HasPrefix(o, "lowerdir=") {
+				out[i] = "lowerdir=" + upper + ":" + strings.TrimPrefix(o, "lowerdir=")
+			}
+		}
+	}
+	return out
+}

vendor/github.com/moby/buildkit/cache/remotecache/v1/utils.go

@@ -67,8 +67,8 @@ func sortConfig(cc *CacheConfig) {
 		if ri.Digest != rj.Digest {
 			return ri.Digest < rj.Digest
 		}
-		if len(ri.Inputs) != len(ri.Inputs) {
+		if len(ri.Inputs) != len(rj.Inputs) {
-			return len(ri.Inputs) < len(ri.Inputs)
+			return len(ri.Inputs) < len(rj.Inputs)
 		}
 		for i, inputs := range ri.Inputs {
 			if len(ri.Inputs[i]) != len(rj.Inputs[i]) {
@@ -76,7 +76,7 @@ func sortConfig(cc *CacheConfig) {
 			}
 			for j := range inputs {
 				if ri.Inputs[i][j].Selector != rj.Inputs[i][j].Selector {
-					return ri.Inputs[i][j].Selector != rj.Inputs[i][j].Selector
+					return ri.Inputs[i][j].Selector < rj.Inputs[i][j].Selector
 				}
 				return cc.Records[ri.Inputs[i][j].LinkIndex].Digest < cc.Records[rj.Inputs[i][j].LinkIndex].Digest
 			}

vendor/github.com/moby/buildkit/client/solve.go

@@ -46,7 +46,7 @@ type SolveOpt struct {
 type ExportEntry struct {
 	Type      string
 	Attrs     map[string]string
-	Output    io.WriteCloser // for ExporterOCI and ExporterDocker
+	Output    func(map[string]string) (io.WriteCloser, error) // for ExporterOCI and ExporterDocker
 	OutputDir string                                          // for ExporterLocal
 }
 

vendor/github.com/moby/buildkit/control/control.go

@@ -38,13 +38,13 @@ type Opt struct {
 }
 
 type Controller struct { // TODO: ControlService
+	buildCount       int64
 	opt              Opt
 	solver           *llbsolver.Solver
 	cache            solver.CacheManager
 	gatewayForwarder *controlgateway.GatewayForwarder
 	throttledGC      func()
 	gcmu             sync.Mutex
-	buildCount       int64
 }
 
 func NewController(opt Opt) (*Controller, error) {

vendor/github.com/moby/buildkit/executor/oci/spec_unix.go

@@ -101,11 +101,11 @@ func GenerateSpec(ctx context.Context, meta executor.Meta, mounts []executor.Mou
 	}
 
 	if meta.SecurityMode == pb.SecurityMode_INSECURE {
-		//make sysfs rw mount for insecure mode.
+		if err = oci.WithWriteableCgroupfs(ctx, nil, c, s); err != nil {
-		for _, m := range s.Mounts {
+			return nil, nil, err
-			if m.Type == "sysfs" {
-				m.Options = []string{"nosuid", "noexec", "nodev", "rw"}
 		}
+		if err = oci.WithWriteableSysfs(ctx, nil, c, s); err != nil {
+			return nil, nil, err
 		}
 	}
 

vendor/github.com/moby/buildkit/executor/runcexecutor/executor.go

@@ -236,9 +236,11 @@ func (w *runcExecutor) Exec(ctx context.Context, meta executor.Meta, root cache.
 	if err != nil {
 		return errors.Wrapf(err, "working dir %s points to invalid target", newp)
 	}
+	if _, err := os.Stat(newp); err != nil {
 		if err := idtools.MkdirAllAndChown(newp, 0755, identity); err != nil {
 			return errors.Wrapf(err, "failed to create working directory %s", newp)
 		}
+	}
 
 	if err := setOOMScoreAdj(spec); err != nil {
 		return err

vendor/github.com/moby/buildkit/exporter/tar/export.go

@@ -147,7 +147,7 @@ func (e *localExporterInstance) Export(ctx context.Context, inp exporter.Source)
 		fs = d.FS
 	}
 
-	w, err := filesync.CopyFileWriter(ctx, e.caller)
+	w, err := filesync.CopyFileWriter(ctx, nil, e.caller)
 	if err != nil {
 		return nil, err
 	}

vendor/github.com/moby/buildkit/frontend/dockerfile/builder/build.go

@@ -34,6 +34,7 @@ const (
 	keyFilename                = "filename"
 	keyCacheFrom               = "cache-from"    // for registry only. deprecated in favor of keyCacheImports
 	keyCacheImports            = "cache-imports" // JSON representation of []CacheOptionsEntry
+	keyCacheNS                 = "build-arg:BUILDKIT_CACHE_MOUNT_NS"
 	defaultDockerfileName      = "Dockerfile"
 	dockerignoreFilename       = ".dockerignore"
 	buildArgPrefix             = "build-arg:"
@@ -322,6 +323,7 @@ func Build(ctx context.Context, c client.Client) (*client.Result, error) {
 					MetaResolver:      c,
 					BuildArgs:         filter(opts, buildArgPrefix),
 					Labels:            filter(opts, labelPrefix),
+					CacheIDNamespace:  opts[keyCacheNS],
 					SessionID:         c.BuildOpts().SessionID,
 					BuildContext:      buildContext,
 					Excludes:          excludes,

vendor/github.com/moby/buildkit/frontend/dockerfile/dockerfile2llb/convert.go

@@ -461,7 +461,7 @@ type dispatchOpt struct {
 func dispatch(d *dispatchState, cmd command, opt dispatchOpt) error {
 	if ex, ok := cmd.Command.(instructions.SupportsSingleWordExpansion); ok {
 		err := ex.Expand(func(word string) (string, error) {
-			return opt.shlex.ProcessWordWithMap(word, toEnvMap(d.buildArgs, d.image.Config.Env))
+			return opt.shlex.ProcessWord(word, d.state.Env())
 		})
 		if err != nil {
 			return err
@@ -626,14 +626,7 @@ func dispatchRun(d *dispatchState, c *instructions.RunCommand, proxy *llb.ProxyE
 		args = withShell(d.image, args)
 	}
 	env := d.state.Env()
-	opt := []llb.RunOption{llb.Args(args)}
+	opt := []llb.RunOption{llb.Args(args), dfCmd(c)}
-	for _, arg := range d.buildArgs {
-		if arg.Value != nil {
-			env = append(env, fmt.Sprintf("%s=%s", arg.Key, arg.ValueString()))
-			opt = append(opt, llb.AddEnv(arg.Key, arg.ValueString()))
-		}
-	}
-	opt = append(opt, dfCmd(c))
 	if d.ignoreCache {
 		opt = append(opt, llb.IgnoreCache)
 	}
@@ -647,6 +640,11 @@ func dispatchRun(d *dispatchState, c *instructions.RunCommand, proxy *llb.ProxyE
 	}
 	opt = append(opt, runMounts...)
 
+	err = dispatchRunSecurity(d, c)
+	if err != nil {
+		return err
+	}
+
 	shlex := *dopt.shlex
 	shlex.RawQuotes = true
 	shlex.SkipUnsetEnv = true
@@ -656,7 +654,7 @@ func dispatchRun(d *dispatchState, c *instructions.RunCommand, proxy *llb.ProxyE
 		opt = append(opt, llb.AddExtraHost(h.Host, h.IP))
 	}
 	d.state = d.state.Run(opt...).Root()
-	return commitToHistory(&d.image, "RUN "+runCommandString(args, d.buildArgs), true, &d.state)
+	return commitToHistory(&d.image, "RUN "+runCommandString(args, d.buildArgs, shell.BuildEnvs(env)), true, &d.state)
 }
 
 func dispatchWorkdir(d *dispatchState, c *instructions.WorkdirCommand, commit bool, opt *dispatchOpt) error {
@@ -927,7 +925,7 @@ func dispatchHealthcheck(d *dispatchState, c *instructions.HealthCheckCommand) e
 func dispatchExpose(d *dispatchState, c *instructions.ExposeCommand, shlex *shell.Lex) error {
 	ports := []string{}
 	for _, p := range c.Ports {
-		ps, err := shlex.ProcessWordsWithMap(p, toEnvMap(d.buildArgs, d.image.Config.Env))
+		ps, err := shlex.ProcessWords(p, d.state.Env())
 		if err != nil {
 			return err
 		}
@@ -1000,6 +998,10 @@ func dispatchArg(d *dispatchState, c *instructions.ArgCommand, metaArgs []instru
 		}
 	}
 
+	if buildArg.Value != nil {
+		d.state = d.state.AddEnv(buildArg.Key, *buildArg.Value)
+	}
+
 	d.buildArgs = append(d.buildArgs, buildArg)
 	return commitToHistory(&d.image, commitStr, false, nil)
 }
@@ -1065,21 +1067,6 @@ func setKVValue(kvpo instructions.KeyValuePairOptional, values map[string]string
 	return kvpo
 }
 
-func toEnvMap(args []instructions.KeyValuePairOptional, env []string) map[string]string {
-	m := shell.BuildEnvs(env)
-
-	for _, arg := range args {
-		// If key already exists, keep previous value.
-		if _, ok := m[arg.Key]; ok {
-			continue
-		}
-		if arg.Value != nil {
-			m[arg.Key] = arg.ValueString()
-		}
-	}
-	return m
-}
-
 func dfCmd(cmd interface{}) llb.ConstraintsOpt {
 	// TODO: add fmt.Stringer to instructions.Command to remove interface{}
 	var cmdStr string
@@ -1094,10 +1081,14 @@ func dfCmd(cmd interface{}) llb.ConstraintsOpt {
 	})
 }
 
-func runCommandString(args []string, buildArgs []instructions.KeyValuePairOptional) string {
+func runCommandString(args []string, buildArgs []instructions.KeyValuePairOptional, envMap map[string]string) string {
 	var tmpBuildEnv []string
 	for _, arg := range buildArgs {
-		tmpBuildEnv = append(tmpBuildEnv, arg.Key+"="+arg.ValueString())
+		v, ok := envMap[arg.Key]
+		if !ok {
+			v = arg.ValueString()
+		}
+		tmpBuildEnv = append(tmpBuildEnv, arg.Key+"="+v)
 	}
 	if len(tmpBuildEnv) > 0 {
 		tmpBuildEnv = append([]string{fmt.Sprintf("|%d", len(tmpBuildEnv))}, tmpBuildEnv...)

vendor/github.com/moby/buildkit/frontend/dockerfile/dockerfile2llb/convert_norunsecurity.go

@@ -0,0 +1,11 @@
+// +build !dfrunsecurity
+
+package dockerfile2llb
+
+import (
+	"github.com/moby/buildkit/frontend/dockerfile/instructions"
+)
+
+func dispatchRunSecurity(d *dispatchState, c *instructions.RunCommand) error {
+	return nil
+}

vendor/github.com/moby/buildkit/frontend/dockerfile/dockerfile2llb/convert_runmount.go

@@ -124,6 +124,9 @@ func dispatchRunMounts(d *dispatchState, c *instructions.RunCommand, sources []*
 			if mount.CacheSharing == instructions.MountSharingLocked {
 				sharing = llb.CacheMountLocked
 			}
+			if mount.CacheID == "" {
+				mount.CacheID = path.Clean(mount.Target)
+			}
 			mountOpts = append(mountOpts, llb.AsPersistentCacheDir(opt.cacheIDNamespace+"/"+mount.CacheID, sharing))
 		}
 		target := mount.Target
@@ -144,7 +147,9 @@ func dispatchRunMounts(d *dispatchState, c *instructions.RunCommand, sources []*
 
 		out = append(out, llb.AddMount(target, st, mountOpts...))
 
+		if mount.From == "" {
 			d.ctxPaths[path.Join("/", filepath.ToSlash(mount.Source))] = struct{}{}
 		}
+	}
 	return out, nil
 }

vendor/github.com/moby/buildkit/frontend/dockerfile/dockerfile2llb/convert_runsecurity.go

@@ -0,0 +1,27 @@
+// +build dfrunsecurity
+
+package dockerfile2llb
+
+import (
+	"github.com/pkg/errors"
+
+	"github.com/moby/buildkit/frontend/dockerfile/instructions"
+	"github.com/moby/buildkit/solver/pb"
+)
+
+func dispatchRunSecurity(d *dispatchState, c *instructions.RunCommand) error {
+	security := instructions.GetSecurity(c)
+
+	for _, sec := range security {
+		switch sec {
+		case instructions.SecurityInsecure:
+			d.state = d.state.Security(pb.SecurityMode_INSECURE)
+		case instructions.SecuritySandbox:
+			d.state = d.state.Security(pb.SecurityMode_SANDBOX)
+		default:
+			return errors.Errorf("unsupported security mode %q", sec)
+		}
+	}
+
+	return nil
+}

vendor/github.com/moby/buildkit/frontend/dockerfile/instructions/commands_runmount.go

@@ -142,6 +142,8 @@ func parseMount(value string) (*Mount, error) {
 				if m.Type == "secret" || m.Type == "ssh" {
 					m.Required = true
 					continue
+				} else {
+					return nil, errors.Errorf("unexpected key '%s' for mount type '%s'", key, m.Type)
 				}
 			}
 		}
@@ -176,6 +178,16 @@ func parseMount(value string) (*Mount, error) {
 			}
 			m.ReadOnly = !rw
 			roAuto = false
+		case "required":
+			if m.Type == "secret" || m.Type == "ssh" {
+				v, err := strconv.ParseBool(value)
+				if err != nil {
+					return nil, errors.Errorf("invalid value for %s: %s", key, value)
+				}
+				m.Required = v
+			} else {
+				return nil, errors.Errorf("unexpected key '%s' for mount type '%s'", key, m.Type)
+			}
 		case "id":
 			m.CacheID = value
 		case "sharing":

vendor/github.com/moby/buildkit/frontend/dockerfile/instructions/commands_runsecurity.go

@@ -0,0 +1,83 @@
+// +build dfrunsecurity
+
+package instructions
+
+import (
+	"encoding/csv"
+	"strings"
+
+	"github.com/pkg/errors"
+)
+
+const (
+	SecurityInsecure = "insecure"
+	SecuritySandbox  = "sandbox"
+)
+
+var allowedSecurity = map[string]struct{}{
+	SecurityInsecure: {},
+	SecuritySandbox:  {},
+}
+
+func isValidSecurity(value string) bool {
+	_, ok := allowedSecurity[value]
+	return ok
+}
+
+type securityKeyT string
+
+var securityKey = securityKeyT("dockerfile/run/security")
+
+func init() {
+	parseRunPreHooks = append(parseRunPreHooks, runSecurityPreHook)
+	parseRunPostHooks = append(parseRunPostHooks, runSecurityPostHook)
+}
+
+func runSecurityPreHook(cmd *RunCommand, req parseRequest) error {
+	st := &securityState{}
+	st.flag = req.flags.AddStrings("security")
+	cmd.setExternalValue(securityKey, st)
+	return nil
+}
+
+func runSecurityPostHook(cmd *RunCommand, req parseRequest) error {
+	st := getSecurityState(cmd)
+	if st == nil {
+		return errors.Errorf("no security state")
+	}
+
+	for _, value := range st.flag.StringValues {
+		csvReader := csv.NewReader(strings.NewReader(value))
+		fields, err := csvReader.Read()
+		if err != nil {
+			return errors.Wrap(err, "failed to parse csv security")
+		}
+
+		for _, field := range fields {
+			if !isValidSecurity(field) {
+				return errors.Errorf("security %q is not valid", field)
+			}
+
+			st.security = append(st.security, field)
+		}
+	}
+
+	return nil
+}
+
+func getSecurityState(cmd *RunCommand) *securityState {
+	v := cmd.getExternalValue(securityKey)
+	if v == nil {
+		return nil
+	}
+	return v.(*securityState)
+}
+
+func GetSecurity(cmd *RunCommand) []string {
+	return getSecurityState(cmd).security
+}
+
+type securityState struct {
+	flag     *Flag
+	security []string
+}

vendor/github.com/moby/buildkit/frontend/dockerfile/shell/lex.go

@@ -417,10 +417,7 @@ func BuildEnvs(env []string) map[string]string {
 			k := e[:i]
 			v := e[i+1:]
 
-			// If key already exists, keep previous value.
+			// overwrite value if key already exists
-			if _, ok := envs[k]; ok {
-				continue
-			}
 			envs[k] = v
 		}
 	}

vendor/github.com/moby/buildkit/go.mod

@@ -9,12 +9,14 @@ require (
 	github.com/codahale/hdrhistogram v0.0.0-20160425231609-f8ad88b59a58 // indirect
 	github.com/containerd/cgroups v0.0.0-20190226200435-dbea6f2bd416 // indirect
 	github.com/containerd/console v0.0.0-20181022165439-0650fd9eeb50
-	github.com/containerd/containerd v1.3.0-0.20190426060238-3a3f0aac8819
+	github.com/containerd/containerd v1.3.0-0.20190507210959-7c1e88399ec0
 	github.com/containerd/continuity v0.0.0-20190426062206-aaeac12a7ffc
 	github.com/containerd/fifo v0.0.0-20180307165137-3d5202aec260 // indirect
+	github.com/containerd/go-cni v0.0.0-20190610170741-5a4663dad645
 	github.com/containerd/go-runc v0.0.0-20180907222934-5a6d9f37cfa3
 	github.com/containerd/ttrpc v0.0.0-20190411181408-699c4e40d1e7 // indirect
 	github.com/containerd/typeurl v0.0.0-20180627222232-a93fcdb778cd // indirect
+	github.com/containernetworking/cni v0.6.1-0.20180218032124-142cde0c766c // indirect
 	github.com/coreos/go-systemd v0.0.0-20190321100706-95778dfbb74e
 	github.com/docker/cli v0.0.0-20190321234815-f40f9c240ab0
 	github.com/docker/distribution v2.7.1-0.20190205005809-0d3efadf0154+incompatible
@@ -41,7 +43,7 @@ require (
 	github.com/morikuni/aec v0.0.0-20170113033406-39771216ff4c
 	github.com/opencontainers/go-digest v1.0.0-rc1
 	github.com/opencontainers/image-spec v1.0.1
-	github.com/opencontainers/runc v1.0.1-0.20190307181833-2b18fe1d885e
+	github.com/opencontainers/runc v1.0.0-rc8
 	github.com/opencontainers/runtime-spec v0.0.0-20180909173843-eba862dc2470
 	github.com/opentracing-contrib/go-stdlib v0.0.0-20171029140428-b1a47cfbdd75
 	github.com/opentracing/opentracing-go v0.0.0-20171003133519-1361b9cd60be

vendor/github.com/moby/buildkit/session/filesync/diffcopy.go

@@ -40,6 +40,12 @@ type streamWriterCloser struct {
 
 func (wc *streamWriterCloser) Write(dt []byte) (int, error) {
 	if err := wc.ClientStream.SendMsg(&BytesMessage{Data: dt}); err != nil {
+		// SendMsg return EOF on remote errors
+		if errors.Cause(err) == io.EOF {
+			if err := errors.WithStack(wc.ClientStream.RecvMsg(struct{}{})); err != nil {
+				return 0, err
+			}
+		}
 		return 0, errors.WithStack(err)
 	}
 	return len(dt), nil

vendor/github.com/moby/buildkit/session/filesync/filesync.go

@@ -23,6 +23,7 @@ const (
 	keyExcludePatterns    = "exclude-patterns"
 	keyFollowPaths        = "followpaths"
 	keyDirName            = "dir-name"
+	keyExporterMetaPrefix = "exporter-md-"
 )
 
 type fsSyncProvider struct {
@@ -238,16 +239,16 @@ func NewFSSyncTargetDir(outdir string) session.Attachable {
 }
 
 // NewFSSyncTarget allows writing into an io.WriteCloser
-func NewFSSyncTarget(w io.WriteCloser) session.Attachable {
+func NewFSSyncTarget(f func(map[string]string) (io.WriteCloser, error)) session.Attachable {
 	p := &fsSyncTarget{
-		outfile: w,
+		f: f,
 	}
 	return p
 }
 
 type fsSyncTarget struct {
 	outdir string
-	outfile io.WriteCloser
+	f      func(map[string]string) (io.WriteCloser, error)
 }
 
 func (sp *fsSyncTarget) Register(server *grpc.Server) {
@@ -258,11 +259,26 @@ func (sp *fsSyncTarget) DiffCopy(stream FileSend_DiffCopyServer) error {
 	if sp.outdir != "" {
 		return syncTargetDiffCopy(stream, sp.outdir)
 	}
-	if sp.outfile == nil {
+
+	if sp.f == nil {
 		return errors.New("empty outfile and outdir")
 	}
-	defer sp.outfile.Close()
+	opts, _ := metadata.FromIncomingContext(stream.Context()) // if no metadata continue with empty object
-	return writeTargetFile(stream, sp.outfile)
+	md := map[string]string{}
+	for k, v := range opts {
+		if strings.HasPrefix(k, keyExporterMetaPrefix) {
+			md[strings.TrimPrefix(k, keyExporterMetaPrefix)] = strings.Join(v, ",")
+		}
+	}
+	wc, err := sp.f(md)
+	if err != nil {
+		return err
+	}
+	if wc == nil {
+		return status.Errorf(codes.AlreadyExists, "target already exists")
+	}
+	defer wc.Close()
+	return writeTargetFile(stream, wc)
 }
 
 func CopyToCaller(ctx context.Context, fs fsutil.FS, c session.Caller, progress func(int, bool)) error {
@@ -281,7 +297,7 @@ func CopyToCaller(ctx context.Context, fs fsutil.FS, c session.Caller, progress
 	return sendDiffCopy(cc, fs, progress)
 }
 
-func CopyFileWriter(ctx context.Context, c session.Caller) (io.WriteCloser, error) {
+func CopyFileWriter(ctx context.Context, md map[string]string, c session.Caller) (io.WriteCloser, error) {
 	method := session.MethodURL(_FileSend_serviceDesc.ServiceName, "diffcopy")
 	if !c.Supports(method) {
 		return nil, errors.Errorf("method %s not supported by the client", method)
@@ -289,6 +305,13 @@ func CopyFileWriter(ctx context.Context, c session.Caller) (io.WriteCloser, erro
 
 	client := NewFileSendClient(c.Conn())
 
+	opts := make(map[string][]string, len(md))
+	for k, v := range md {
+		opts[keyExporterMetaPrefix+k] = []string{v}
+	}
+
+	ctx = metadata.NewOutgoingContext(ctx, opts)
+
 	cc, err := client.DiffCopy(ctx)
 	if err != nil {
 		return nil, errors.WithStack(err)

vendor/github.com/moby/buildkit/solver/llbsolver/bridge.go

@@ -29,6 +29,7 @@ type llbBridge struct {
 	builder                   solver.Builder
 	frontends                 map[string]frontend.Frontend
 	resolveWorker             func() (worker.Worker, error)
+	eachWorker                func(func(worker.Worker) error) error
 	resolveCacheImporterFuncs map[string]remotecache.ResolveCacheImporterFunc
 	cms                       map[string]solver.CacheManager
 	cmsMu                     sync.Mutex
@@ -91,11 +92,25 @@ func (b *llbBridge) Solve(ctx context.Context, req frontend.SolveRequest) (res *
 		if err != nil {
 			return nil, err
 		}
+		dpc := &detectPrunedCacheID{}
 
-		edge, err := Load(req.Definition, ValidateEntitlements(ent), WithCacheSources(cms), RuntimePlatforms(b.platforms), WithValidateCaps())
+		edge, err := Load(req.Definition, dpc.Load, ValidateEntitlements(ent), WithCacheSources(cms), RuntimePlatforms(b.platforms), WithValidateCaps())
 		if err != nil {
 			return nil, errors.Wrap(err, "failed to load LLB")
 		}
+
+		if len(dpc.ids) > 0 {
+			ids := make([]string, 0, len(dpc.ids))
+			for id := range dpc.ids {
+				ids = append(ids, id)
+			}
+			if err := b.eachWorker(func(w worker.Worker) error {
+				return w.PruneCacheMounts(ctx, ids)
+			}); err != nil {
+				return nil, err
+			}
+		}
+
 		ref, err := b.builder.Build(ctx, edge)
 		if err != nil {
 			return nil, errors.Wrap(err, "failed to build LLB")

vendor/github.com/moby/buildkit/solver/llbsolver/ops/exec.go

@@ -221,11 +221,13 @@ func (e *execOp) getMountDeps() ([]dep, error) {
 }
 
 func (e *execOp) getRefCacheDir(ctx context.Context, ref cache.ImmutableRef, id string, m *pb.Mount, sharing pb.CacheSharingOpt) (mref cache.MutableRef, err error) {
-
 	key := "cache-dir:" + id
 	if ref != nil {
 		key += ":" + ref.ID()
 	}
+	mu := CacheMountsLocker()
+	mu.Lock()
+	defer mu.Unlock()
 
 	if ref, ok := e.cacheMounts[key]; ok {
 		return ref.clone(), nil
@@ -792,10 +794,17 @@ type cacheRefs struct {
 	shares map[string]*cacheRefShare
 }
 
-func (r *cacheRefs) get(key string, fn func() (cache.MutableRef, error)) (cache.MutableRef, error) {
+// ClearActiveCacheMounts clears shared cache mounts currently in use.
-	r.mu.Lock()
+// Caller needs to hold CacheMountsLocker before calling
-	defer r.mu.Unlock()
+func ClearActiveCacheMounts() {
+	sharedCacheRefs.shares = nil
+}
 
+func CacheMountsLocker() sync.Locker {
+	return &sharedCacheRefs.mu
+}
+
+func (r *cacheRefs) get(key string, fn func() (cache.MutableRef, error)) (cache.MutableRef, error) {
 	if r.shares == nil {
 		r.shares = map[string]*cacheRefShare{}
 	}

vendor/github.com/moby/buildkit/solver/llbsolver/solver.go

@@ -39,6 +39,7 @@ type Solver struct {
 	workerController          *worker.Controller
 	solver                    *solver.Solver
 	resolveWorker             ResolveWorkerFunc
+	eachWorker                func(func(worker.Worker) error) error
 	frontends                 map[string]frontend.Frontend
 	resolveCacheImporterFuncs map[string]remotecache.ResolveCacheImporterFunc
 	platforms                 []specs.Platform
@@ -51,6 +52,7 @@ func New(wc *worker.Controller, f map[string]frontend.Frontend, cache solver.Cac
 	s := &Solver{
 		workerController:          wc,
 		resolveWorker:             defaultResolver(wc),
+		eachWorker:                allWorkers(wc),
 		frontends:                 f,
 		resolveCacheImporterFuncs: resolveCI,
 		gatewayForwarder:          gatewayForwarder,
@@ -87,6 +89,7 @@ func (s *Solver) Bridge(b solver.Builder) frontend.FrontendLLBBridge {
 		builder:                   b,
 		frontends:                 s.frontends,
 		resolveWorker:             s.resolveWorker,
+		eachWorker:                s.eachWorker,
 		resolveCacheImporterFuncs: s.resolveCacheImporterFuncs,
 		cms:                       map[string]solver.CacheManager{},
 		platforms:                 s.platforms,
@@ -285,6 +288,20 @@ func defaultResolver(wc *worker.Controller) ResolveWorkerFunc {
 		return wc.GetDefault()
 	}
 }
+func allWorkers(wc *worker.Controller) func(func(w worker.Worker) error) error {
+	return func(f func(worker.Worker) error) error {
+		all, err := wc.List()
+		if err != nil {
+			return err
+		}
+		for _, w := range all {
+			if err := f(w); err != nil {
+				return err
+			}
+		}
+		return nil
+	}
+}
 
 func oneOffProgress(ctx context.Context, id string) func(err error) error {
 	pw, _, _ := progress.FromContext(ctx)

vendor/github.com/moby/buildkit/solver/llbsolver/vertex.go

@@ -131,6 +131,34 @@ func ValidateEntitlements(ent entitlements.Set) LoadOpt {
 	}
 }
 
+type detectPrunedCacheID struct {
+	ids map[string]struct{}
+}
+
+func (dpc *detectPrunedCacheID) Load(op *pb.Op, md *pb.OpMetadata, opt *solver.VertexOptions) error {
+	if md == nil || !md.IgnoreCache {
+		return nil
+	}
+	switch op := op.Op.(type) {
+	case *pb.Op_Exec:
+		for _, m := range op.Exec.GetMounts() {
+			if m.MountType == pb.MountType_CACHE {
+				if m.CacheOpt != nil {
+					id := m.CacheOpt.ID
+					if id == "" {
+						id = m.Dest
+					}
+					if dpc.ids == nil {
+						dpc.ids = map[string]struct{}{}
+					}
+					dpc.ids[id] = struct{}{}
+				}
+			}
+		}
+	}
+	return nil
+}
+
 func Load(def *pb.Definition, opts ...LoadOpt) (solver.Edge, error) {
 	return loadLLB(def, func(dgst digest.Digest, pbOp *pb.Op, load func(digest.Digest) (solver.Vertex, error)) (solver.Vertex, error) {
 		opMetadata := def.Metadata[dgst]

vendor/github.com/moby/buildkit/solver/result.go

@@ -40,9 +40,9 @@ func dup(res Result) (Result, Result) {
 }
 
 type splitResult struct {
-	Result
 	released int64
 	sem      *int64
+	Result
 }
 
 func (r *splitResult) Release(ctx context.Context) error {

vendor/github.com/moby/buildkit/util/binfmt_misc/386_binary.go

@@ -0,0 +1,8 @@
+// +build !386
+
+package binfmt_misc
+
+// This file is generated by running make inside the binfmt_misc package.
+// Do not edit manually.
+
+const Binary386 = "\x1f\x8b\x08\x00\x00\x00\x00\x00\x02\xff\xec\xd8\x31\x6e\xc2\x30\x14\x06\xe0\xdf\x8d\xdb\x26\x6a\x07\x1f\x20\xaa\x3a\x74\xe8\x64\xb5\x52\xae\x00\x2c\x88\x8d\x03\x80\x14\xc1\x94\x44\x89\x91\x60\x22\x47\x60\xe0\x20\x8c\x8c\x5c\x80\x13\x70\x19\xf4\xe2\x67\x91\x81\x25\xfb\xfb\xa4\x5f\x16\xcf\xe6\x29\xeb\x7b\xfb\xd1\x74\xac\x94\x42\xf0\x82\x08\xdd\xaf\x83\x8e\x33\x00\x7f\xc6\xd7\x33\x7c\x23\xc2\x2f\x74\xb8\x27\xad\x8e\x29\x27\x00\x14\x4d\x35\x03\x7f\x6f\x7c\x0f\x4a\x02\x80\xf2\xca\x75\x7a\x77\xa4\xb4\x3a\xa6\xa4\x00\x52\xfe\x7f\xc8\x27\xbf\x9f\xcc\xe6\xd4\xef\x42\xb5\xc7\x57\x0a\x21\x84\x10\x42\x08\x21\x84\x10\x62\x88\x33\x0d\xd5\xff\xb7\x6b\x0b\xdb\xac\x1b\x57\xbb\xc5\x12\xb6\x28\x5d\x6e\x57\xc5\xc6\x56\x75\x59\xe5\xb5\xdb\xc1\xba\x7c\xeb\x86\xf4\xfd\x00\xf0\xde\xed\x13\x78\xce\xe7\x19\x3f\xd0\x7c\x7e\xf1\x5c\xff\xc6\x3b\x07\x18\xbf\x2b\x08\x54\xef\x8c\x7a\xf5\xc4\x00\x3f\x4f\xde\xdd\x03\x00\x00\xff\xff\x8d\xf7\xd2\x72\xd0\x10\x00\x00"

vendor/github.com/moby/buildkit/util/binfmt_misc/386_check.go

@@ -0,0 +1,7 @@
+// +build !386
+
+package binfmt_misc
+
+func i386Supported() error {
+	return check(Binary386)
+}

vendor/github.com/moby/buildkit/util/binfmt_misc/386_check_386.go

@@ -0,0 +1,7 @@
+// +build 386
+
+package binfmt_misc
+
+func i386Supported() error {
+	return nil
+}

vendor/github.com/moby/buildkit/util/binfmt_misc/detect.go

@@ -24,6 +24,15 @@ func SupportedPlatforms() []string {
 		if p := "linux/riscv64"; def != p && riscv64Supported() == nil {
 			arr = append(arr, p)
 		}
+		if p := "linux/ppc64le"; def != p && ppc64leSupported() == nil {
+			arr = append(arr, p)
+		}
+		if p := "linux/s390x"; def != p && s390xSupported() == nil {
+			arr = append(arr, p)
+		}
+		if p := "linux/386"; def != p && i386Supported() == nil {
+			arr = append(arr, p)
+		}
 		if !strings.HasPrefix(def, "linux/arm/") && armSupported() == nil {
 			arr = append(arr, "linux/arm/v7", "linux/arm/v6")
 		} else if def == "linux/arm/v7" {
@@ -55,6 +64,21 @@ func WarnIfUnsupported(pfs []string) {
 					printPlatfromWarning(p, err)
 				}
 			}
+			if p == "linux/ppc64le" {
+				if err := ppc64leSupported(); err != nil {
+					printPlatfromWarning(p, err)
+				}
+			}
+			if p == "linux/s390x" {
+				if err := s390xSupported(); err != nil {
+					printPlatfromWarning(p, err)
+				}
+			}
+			if p == "linux/386" {
+				if err := i386Supported(); err != nil {
+					printPlatfromWarning(p, err)
+				}
+			}
 			if strings.HasPrefix(p, "linux/arm/v6") || strings.HasPrefix(p, "linux/arm/v7") {
 				if err := armSupported(); err != nil {
 					printPlatfromWarning(p, err)

vendor/github.com/moby/buildkit/util/binfmt_misc/ppc64le_binary.go

@@ -0,0 +1,8 @@
+// +build !ppc64le
+
+package binfmt_misc
+
+// This file is generated by running make inside the binfmt_misc package.
+// Do not edit manually.
+
+const Binaryppc64le = "\x1f\x8b\x08\x00\x00\x00\x00\x00\x02\xff\xaa\x77\xf5\x71\x63\x62\x64\x64\x80\x01\x26\x06\x51\x06\x10\xaf\x82\x81\x41\x00\xc4\x77\x80\x8a\x2f\x80\xcb\x83\xc4\x2c\x18\x18\x19\x1c\x18\x58\x18\x98\xc1\x6a\x59\x19\x50\x80\x00\x32\xdd\x02\xe5\xb4\xc0\xa5\x19\x61\xa4\x05\x03\x43\x82\x05\x13\x03\x83\x0b\x83\x5e\x71\x46\x71\x49\x51\x49\x62\x12\x83\x5e\x49\x6a\x45\x09\x83\x5e\x6a\x46\x7c\x5a\x51\x62\x6e\x2a\x03\xc5\x80\x1b\x6a\x23\x1b\x94\x0f\xf3\x57\x05\x94\xcf\x83\xa6\x9e\x03\x8d\x2f\x08\xd5\xcf\x84\xf0\x87\x00\xaa\x7f\x50\x01\x0b\x1a\x1f\xa4\x97\x19\x8b\x3a\x98\x7e\x69\x2c\xea\x91\x01\x20\x00\x00\xff\xff\xce\xf7\x15\x75\xa0\x01\x00\x00"

vendor/github.com/moby/buildkit/util/binfmt_misc/ppc64le_check.go

@@ -0,0 +1,7 @@
+// +build !ppc64le
+
+package binfmt_misc
+
+func ppc64leSupported() error {
+	return check(Binaryppc64le)
+}

vendor/github.com/moby/buildkit/util/binfmt_misc/ppc64le_check_ppc64le.go

@@ -0,0 +1,7 @@
+// +build ppc64le
+
+package binfmt_misc
+
+func ppc64leSupported() error {
+	return nil
+}

vendor/github.com/moby/buildkit/util/binfmt_misc/s390x_binary.go

@@ -0,0 +1,8 @@
+// +build !s390x
+
+package binfmt_misc
+
+// This file is generated by running make inside the binfmt_misc package.
+// Do not edit manually.
+
+const Binarys390x = "\x1f\x8b\x08\x00\x00\x00\x00\x00\x02\xff\xaa\x77\xf5\x71\x63\x62\x62\x64\x80\x03\x26\x06\x31\x06\x06\x06\xb0\x00\x23\x03\x43\x05\x54\xd4\x01\x4a\xcf\x80\xf2\x2c\x18\x18\x19\x1c\x18\x98\x19\x98\xa0\x6a\x59\x19\x90\x00\x23\x1a\xcd\xc0\xc0\xd0\x80\x4a\x0b\x30\x2c\xd7\x64\x60\xe0\x62\x64\x67\x67\xd0\x2b\xce\x28\x2e\x29\x2a\x49\x4c\x62\xd0\x2b\x49\xad\x28\x61\xa0\x1e\xe0\x46\x72\x02\x1b\x9a\x7f\x60\x34\x07\x9a\x1e\x16\x34\x6f\x30\xe3\x30\x1b\xe6\x1f\x41\x34\x71\xb8\x97\x01\x01\x00\x00\xff\xff\x0c\x76\x9a\xe1\x58\x01\x00\x00"

vendor/github.com/moby/buildkit/util/binfmt_misc/s390x_check.go

@@ -0,0 +1,7 @@
+// +build !s390x
+
+package binfmt_misc
+
+func s390xSupported() error {
+	return check(Binarys390x)
+}

vendor/github.com/moby/buildkit/util/binfmt_misc/s390x_check_s390x.go

@@ -0,0 +1,7 @@
+// +build s390x
+
+package binfmt_misc
+
+func s390xSupported() error {
+	return nil
+}

vendor/github.com/moby/buildkit/util/flightcontrol/flightcontrol.go

@@ -72,6 +72,7 @@ func (g *Group) do(ctx context.Context, key string, fn func(ctx context.Context)
 		g.mu.Lock()
 		delete(g.m, key)
 		g.mu.Unlock()
+		close(c.cleaned)
 	}()
 	g.mu.Unlock()
 	return c.wait(ctx)
@@ -82,6 +83,7 @@ type call struct {
 	result  interface{}
 	err     error
 	ready   chan struct{}
+	cleaned chan struct{}
 
 	ctx  *sharedContext
 	ctxs []context.Context
@@ -97,6 +99,7 @@ func newCall(fn func(ctx context.Context) (interface{}, error)) *call {
 	c := &call{
 		fn:            fn,
 		ready:         make(chan struct{}),
+		cleaned:       make(chan struct{}),
 		progressState: newProgressState(),
 	}
 	ctx := newContext(c) // newSharedContext
@@ -127,6 +130,7 @@ func (c *call) wait(ctx context.Context) (v interface{}, err error) {
 	select {
 	case <-c.ready: // could return if no error
 		c.mu.Unlock()
+		<-c.cleaned
 		return nil, errRetry
 	default:
 	}

vendor/github.com/moby/buildkit/util/network/network.go

@@ -3,20 +3,9 @@ package network
 import (
 	"io"
 
-	"github.com/moby/buildkit/solver/pb"
 	specs "github.com/opencontainers/runtime-spec/specs-go"
 )
 
-// Default returns the default network provider set
-func Default() map[pb.NetMode]Provider {
-	return map[pb.NetMode]Provider{
-		// FIXME: still uses host if no provider configured
-		pb.NetMode_UNSET: NewHostProvider(),
-		pb.NetMode_HOST:  NewHostProvider(),
-		pb.NetMode_NONE:  NewNoneProvider(),
-	}
-}
-
 // Provider interface for Network
 type Provider interface {
 	New() (Namespace, error)
@@ -28,10 +17,3 @@ type Namespace interface {
 	// Set the namespace on the spec
 	Set(*specs.Spec)
 }
-
-// NetworkOpts hold network options
-type NetworkOpts struct {
-	Type          string
-	CNIConfigPath string
-	CNIPluginPath string
-}

vendor/github.com/moby/buildkit/worker/worker.go

@@ -33,6 +33,7 @@ type Worker interface {
 	Prune(ctx context.Context, ch chan client.UsageInfo, opt ...client.PruneInfo) error
 	GetRemote(ctx context.Context, ref cache.ImmutableRef, createIfNeeded bool) (*solver.Remote, error)
 	FromRemote(ctx context.Context, remote *solver.Remote) (cache.ImmutableRef, error)
+	PruneCacheMounts(ctx context.Context, ids []string) error
 }
 
 // Pre-defined label keys